5-2 Safety Management Manual SMM certainly be deployed. This view would be correct if one were to adhere to the notion of “safety as the first priority”, and focus on the prevention of bad outcomes. However, under the notion of safety management, agreeing on the consequences of identified hazards and describing them in operational terms are not enough to engage in mitigation deployment. It is necessary to evaluate the seriousness of the consequences, so as to define priorities for the allocation of resources when proposing mitigation strategies. 5.2.5 It has already been proposed that it is a basic management axiom that one cannot manage what one cannot measure. Therefore, it is essential to somehow measure the seriousness of the consequences of hazards. This is the essential contribution of safety risk management to the safety management process. By “putting a number” on the consequences of hazards, the safety management process provides the organization with a principled basis for safety risk decisions and the subsequent allocation of organizational resources to contain the damaging potential of hazards. In this way, safety risk management completes the basic safety management trilogy of hazards-consequences-safety risks, and directly supports the resolution of the “dilemma of the two Ps” discussed in Chapter 3. 5.2.6 Risk, in its vernacular and broadest sense, has been the subject of much discussion, and literature on the topic is abundant. A potential for confusion exists, that is partly due to the vernacular use of the term, which is all too frequent, quite broad and generally vague. The first step in addressing the confusion is narrowing down the use of the generic term risk to the very specific term safety risk. Beyond this, it is essential from the outset to establish a clear definition of safety risk and to link such a definition to the concepts of hazards and consequences expressed in operational terms. 5.2.7 Even after narrowing the using of the generic term risk down to the more specific term safety risk, confusion may still arise. This is because the notion of risk is an artificial one. Safety risks are not tangible or visible components of any physical or natural environment; it is necessary to think about safety risks to understand or form an image of them. Hazards and consequences, on the other hand, are tangible or visible components of a physical or natural environment, and therefore intuitive in terms of understanding and visualization. The notion of a safety risk is what is known as a construct, i.e. it is an artificial convention created by humans. In simple words, while hazards and consequences are physical components of the natural world, safety risks do not really exist in the natural world. Safety risk is a product of the human mind intended to measure the seriousness of, or “put a number” on, the consequences of hazards. 5.2.8 Safety risk is defined as the assessment, expressed in terms of predicted probability and severity, of the consequences of a hazard, taking as reference the worst foreseeable situation. Typically, safety risks are designated through an alphanumeric convention that allows for their measurement. Using the example of crosswind discussed in Chapter 4, it can be seen that the proposed definition of safety risk allows one to link safety risks with hazards and consequences, thus closing the loop in the hazard-consequence-safety risk trilogy: a a wind of 15 knots blowing directly across the runway is a hazard; b the potential for a runway lateral excursion because a pilot might not be able to control the aircraft during take-off or landing is one of the consequences of the hazard; and c the assessment of the consequences of a runway lateral excursion, expressed in terms of probability and severity as an alphanumerical convention, is the safety risk. 5.3 FIRST FUNDAMENTAL — SAFETY RISK MANAGEMENT 5.3.1 Safety risk management is a generic term that encompasses the assessment and mitigation of the safety risks of the consequences of hazards that threaten the capabilities of an organization, to a level as low as reasonably practicable ALARP. The objective of safety risk management is to provide the foundation for a balanced allocation of Chapter 5. Safety Risks 5-3 resources between all assessed safety risks and those safety risks the control and mitigation of which are viable. In other words, safety risk management assists in resolving the “dilemma of the two Ps”. Safety risk management is therefore a key component of the safety management process. Its added value, however, lies in the fact that it is a data- driven approach to resource allocation, thus defensible and easier to explain. 5.3.2 Figure 5-1 depicts a broadly adopted generic visual representation of the safety risk management process. The triangle is presented in an inverted position, suggesting that aviation just like any other socio-technical production system is “top heavy” from a safety risk perspective: most safety risks of the consequences of hazards will be assessed as initially falling in the intolerable region. A lesser number of safety risks of the consequences of hazards will be assessed in such a way that the assessment falls straight in the tolerable region, and an even fewer number will be assessed in such a way that the assessment falls straight in the acceptable region. 5.3.3 Safety risks assessed as initially falling in the intolerable region are unacceptable under any circumstances. The probability andor severity of the consequences of the hazards are of such a magnitude, and the damaging potential of the hazard poses such a threat to the viability of the organization, that immediate mitigation action is required. Generally speaking, two alternatives are available to the organization to bring the safety risks to the tolerable or acceptable regions: a allocate resources to reduce the exposure to, andor the magnitude of, the damaging potential of the consequences of the hazards; or b if mitigation is not possible, cancel the operation. Figure 5-1. Safety risk management As Low As Reasonably Practicable The risk is unacceptable at any level. The risk is acceptable as it currently stands. Acceptable region Tolerable region Intolerable region The risk is acceptable based on mitigation. Cost-benefit analysis is required. 5-4 Safety Management Manual SMM 5.3.4 Safety risks assessed as initially falling in the tolerable region are acceptable, provided mitigation strategies already in place guarantee that, to the foreseeable extent, the probability andor severity of the consequences of hazards are kept under organizational control. The same control criteria apply to safety risks initially falling in the intolerable region and mitigated to the tolerable region. A safety risk initially assessed as intolerable that is mitigated and slides down to the tolerable region must remain “protected” by mitigation strategies that guarantee its control. In both cases, a cost-benefit analysis is required: a Is there a return on the investment underlying the allocation of resources to bring the probability andor severity of the consequences of hazards under organizational control? or b Is the allocation of resources required of such magnitude that will pose a greater threat to the viability of the organization than bringing the probability andor severity of the consequences of hazards under organizational control? 5.3.5 The acronym ALARP is used to describe a safety risk that has been reduced to a level that is as low as reasonably practicable. In determining what is “reasonably practicable” in the context of safety risk management, consideration should be given both to the technical feasibility of further reducing the safety risk, and the cost. This must include a cost-benefit analysis. Showing that the safety risk in a system is ALARP means that any further risk reduction is either impracticable or grossly outweighed by the cost. It should, however, be borne in mind that when an organization “accepts” a safety risk, this does not mean that the safety risk has been eliminated. Some residual level of safety risk remains; however, the organization has accepted that the residual safety risk is sufficiently low that it is outweighed by the benefits. 5.3.6 Safety risks assessed as initially falling in the acceptable region are acceptable as they currently stand and require no action to bring or keep the probability andor severity of the consequences of hazards under organizational control. 5.3.7 Cost-benefit analyses are at the heart of safety risk management. There are two distinct costs to be considered in cost-benefit analyses: direct costs and indirect costs. 5.3.8 Direct costs are the obvious costs and are fairly easy to determine. They mostly relate to physical damage and include rectifying, replacing or compensating for injuries, aircraftequipment and property damage. The high costs underlying the loss of organizational control of certain extreme consequences of hazards, such as an accident, can be reduced by insurance coverage. It must be borne in mind, however, that purchasing insurance does nothing to bring the probability andor severity of the consequences of hazards under organizational control; it only transfers the monetary risk from the organization to the insurer. The safety risk remains unaddressed. Simply buying insurance to transfer monetary risk can hardly be considered a safety management strategy. 5.3.9 Indirect costs include all those costs that are not directly covered by insurance. Indirect costs may amount to more than the direct costs resulting from loss of organizational control of certain extreme consequences of hazards. Such costs are sometimes not obvious and are often delayed. Some examples of uninsured costs that may accrue from loss of organizational control of extreme consequences of hazards include: a Loss of business and damage to the reputation of the organization. Many organizations will not allow their personnel to fly with an airline with a questionable safety record. b Loss of use of equipment. This equates to lost revenue. Replacement equipment may have to be purchased or leased. Companies operating a one-of-a-kind aircraft may find that their spares inventory and the people specially trained for such an aircraft become surplus. c Loss of staff productivity. If people are injured in an occurrence and are unable to work, labour legislation may still require that they continue to receive some form of compensation. Also, these Chapter 5. Safety Risks 5-5 people will need to be replaced, at least for the short term, with the organization incurring the cost of wages, training, overtime, as well as imposing an increased workload on the experienced workers. d Investigation and clean-up. These are often uninsured costs. Operators may incur costs from the investigation including the cost of the involvement of their staff in the investigation, as well as the cost of tests and analyses, wreckage recovery and restoring the event site. e Insurance deductibles. The policyholder’s obligation to cover the first portion of the cost of any event must be paid. A claim will also put a company into a higher risk category for insurance purposes and therefore may result in increased premiums. Conversely, the implementation of safety mitigation interventions could help a company to negotiate a lower premium. f Legal action and damage claims. Legal costs can accrue rapidly. While it is possible to insure for public liability and damages, it is virtually impossible to cover the cost of time lost handling legal action and damage claims. g Fines and citations. Government authorities may impose fines and citations and possibly shut down unsafe operations. 5.3.10 Cost-benefit analyses produce results that can be numerically precise and analytically exact. Nevertheless, there are less exact numeric factors that weigh in a cost-benefit analysis. These factors include: a Managerial. Is the safety risk consistent with the organization’s safety policy and objectives? b Legal. Is the safety risk in conformance with current regulatory standards and enforcement capabilities? c Cultural. How will the organization’s personnel and other stakeholders view the safety risk? d Market. Will the organization’s competitiveness and well-being vis-à-vis other organizations be compromised by the safety risk? e Political. Will there be a political price to pay for not addressing the safety risk? f Public. How influential will the media or special interest groups be in affecting public opinion regarding the safety risk? 5.4 SECOND FUNDAMENTAL — SAFETY RISK PROBABILITY 5.4.1